Singapore’s latest weapon to fight the COVID-19 virus is a smartphone app: TraceTogether. The main objective of this app is to facilitate contact tracing, enabling close contacts to be found more quickly and comprehensively.
When installed in your smartphone, the TraceTogether app uses Bluetooth to actively discover other TraceTogether users. Information about nearby contacts, who are effectively anonymous to both users, are recorded locally on each smartphone for a certain period of time. GovTech, the agency which developed the TraceTogether app, says the data is not uploaded to the cloud, and they will have to seek permission from you to access data recorded by your app.
I know in a pandemic crisis like we’re in right now, contact tracing is very important and I am inclined to support such a move. But the cybersecurity side of me is sounding alarm bells. The immediate thoughts are about Big Brother monitoring.
Should we trust this app? It’s from the government, and in these difficult times, we got to pick someone to trust. The whole point of TraceTogether is to help us, after all.
However, I do wish that GovTech had shared more technical details about how TraceTogether works. They have given a very high-level concept of how the app works, and that lacks a lot of detail. The sketchy information available leaves us guessing a lot about what is going on in the app.
A common question coming from many Android users will be about location permissions that the TraceTogether app requires. If “the app does not track your location or contacts”, then why is Location permission requested?
This question has a valid answer. It turns out that Android requires the user to give Location permission in order for an app to use Bluetooth scanning. It is intended to be a reminder to users that your location information may be leaked through such activity. TraceTogether says they do use the location information.
I’ll let that matter pass, but for completeness of discussing that point, I have to add that the app can request location even if it doesn’t do so now. Furthermore, understand that the app can read your Bluetooth MAC address, which can also serve as an identifier, and since your phone number is required during sign-up, someone now has an association between a phone number and a physical device.
I should say again that I am not, in principle, against the TraceTogether app. I just wished GovTech could have provided detailed technical information to address questions from paranoid cybersecurity people.
The success of TraceTogether is heavily dependent on enough people using the app. If you’ve not installed the app, check out the TraceTogether website.